Sep 29, 2024
Episode Description
In this conversation, Adi interviews Jose Alvarado, the Director of Information Security at Stagg's Payment, about his journey in the field of cybersecurity. Jose shares how his interest in IT and networking led him to specialize in cybersecurity. They discuss the difference between IT and security roles, the importance of collaboration and communication in the security field, and the challenges of creating a security-focused culture within an organization. Jose also shares his experience dealing with a serious incident involving ransomware and emphasizes the need for organizations to assess and validate their security measures. The conversation with Jose focused on the challenges and priorities in cybersecurity, the importance of effective communication, the issue of burnout in the industry, and advice for those starting out in cybersecurity. Jose emphasized the need for organizations to ensure they are actually implementing the security measures they claim to have in place. He also discussed the challenge of balancing technical expertise with business understanding and the importance of concise and effective communication. Jose highlighted the issue of burnout in the tech industry and emphasized the need for leaders to be aware of their team's workload and mental well-being. He advised those starting out in cybersecurity to prioritize gaining experience and knowledge, rather than focusing on money, and to seek out opportunities that provide a wide range of experiences. Jose also discussed the evolution of cybersecurity as a separate field and the satisfaction he finds in completing projects and seeing the results of his team's efforts.
Watch On YouTube
hi everyone welcome to the handson cesa podcast my name is AD and today we'll be talking to Demetrius Stu if I said the
name correctly with over two decades insecurity and over a decade as seeso demetrius's information security
background is extremely comprehensive ranging from standards compliance technical security evaluation risk
management secureity development life cycle sex devops and social engineering
currently Demetrius is ciso of taptap sand group and today we'll hear more
about his journey and about security as a field Demetrius how you doing today
hey I'm good thank you for having me and you nailed it on the name which is really not happening that often for non-
Greek speakers but I'll give you a nine out of 10 thank you very much okay so
Demetrius you've come a long way in security can you tell me how did you get
started yeah I think I can summarize it to two key points one is I I think I was
always a nerd or a geek I don't think that term existed back in the late 80s early 90s when I was growing up but I
loved video games and I couldn't afford playing the video games where you feed in the coins So eventually I bought a
computer and I started playing at home and then I started making my own games uh so that got me into computers and
into the idea that I want to work somewhere in it whatever that meant back in the early 90s and then I thing what
got me into security is a combination of working with things like Linux and and networks and also I'm I'm not going to
hide it like I was heavily influenced by things like movies like war games and hickers back in
1995 I think that looks very interesting and very exciting thing to do so I started as a system engineer who
gradually moved into what today we would call I think it security and then gradually made it into information
security in the past 15 16 years I have been working as a seesure for number of
companies amazing and did you see a big difference between different companies
when you were in your Cesar years already was it pretty much the same way
you went or is it very com each company very different so I think there are some
similarities and some differences generally and being a bit cynical I will buet the companies into two main
categories one is the companies that hire Theo because they need to have one
they don't necessarily see the need but because some regulation or some board said okay why don't we have one of these
roles the hire SE they they don't want a lot of interruption from their seor they just want to be able to go through some
Audits and maybe have the SE talk externally and things like that and then the other bucket is the companies that
forced or not they see a need and they they see a value in having someone who runs security and then they hire you to
do exactly that um now when it comes to the day-to-day things that you do
they're pretty similar between these two buckets of companies but I think what differs is the Mandate that you have and
the level of change and influence you can exert on the organization depending on which bucket of companies hired
you interesting I would assume that the companies that value security are the ones that
are more enjoyable to work for I again syal being
cynical it's not a huge difference if you know what you're stepping into right so if you know that I'm going to step
into this company I'm going to be able to do little things and I'll try my best that that has its interest because
you're giving a very small box to play with and you need to stay within that box and but you still need to achieve some things and if you are working for
the other bucket of companies you have a much bigger box but then you have limitations like you can't have unlimited budget to touch everything in
that box and so on so they both come with challenges I think the most important thing and what I tell people
is make sure you understand what they're hiring you for if they just want to have you in the orc chart or if they want to
want you to come in and destroy everything and and then rebuild it in a better way interesting what is your dayto day
look like now uh dayto day yeah it's not very standardized so
it differs some days I have a lot of meetings when I need to talk to both internal and external stakeholders some
days are are dedicated to updating or creating new documentation needing for an information security management
system I do spend quite some time with Auditors but that's kind of seasonal so there are seasons with high level of
audits and Seasons with low level of audits uh generally talking a lot with
people any anywhere from the CEO to a developer and either Consulting them on
security terms or hearing what they want to do next and trying to figure out what's the risk there and how we could mitigate it or avoid it early
uh trying to keep up with a lot of things both in terms of what technologies we use but also what's
happening in the world so example would be we don't use Microsoft but if Microsoft is under
heavy attack that might affect our customers which might reflect on us or even if I don't use Microsoft I still
need to care that Microsoft is having an issue so that's a lot of blogs
twitters Twitter watching videos trying to keep in touch with several professionals and friends on LinkedIn
like an an assortment of things interesting how do you balance between doing work that is let's say
work work like really implementing new Solutions managing the team talking to management and learning learning about
new things happening learning about new technologies so I I I do believe in the idea of Hands-On learning so for
example if I want to consult our team on how to implement some piece of code to
not have have an SQL injection sure I can tell them go read the document but I can also try to write a small piece of
code myself and understand why was it vulnerable and why and how can we make it not being vulnerable and then I can
go to them and say hey guys look I'm not a developer but I wrote These 10 lines and this is bad this is good can you
translate that into our actual code base and avoid having this mistake and that
means that I learned something not only about the theory of what is an SQL injection but also what it's
pragmatically uh how he pragmatically implemented or not implemented but also the developers hopefully look at me and
go like okay he's not just giving us a standard or a piece of paper to work at he's willing to work with
us interesting do you ever feel like a bad cop like is there ever the I have to
say no oh I I say no all the time but nobody cares
um so let me explain this say that I I I'll tell you what I mean again I that's
one of the things that I try to clarify before I join any company and I I'm explaining that there's two operational
models one is I'm fully responsible for security which means that I can say yes or no but that also means that I have
the budget and I can override other people in the company and then sorry very rarely any company will
allow me to do that then the other model which is very common is something of a
trusted advisor so someone will say oh we need to do this new thing so I will look at this new thing and say I see
these five risks uh ideally if we don't do this we don't have to care about these five risks if we do want to do
this here is what we need to do to mitigate these five risks or eliminate them and then I submit that to the
business owner which usually will be someone like a CO or a CEO and then they can make an educated decision and if
they tell me we need to mitigate then I will work on my proposals to mitigate and if they say you know what it doesn't
worth it we're going to take the risk and if it blows it blows that's fine we document that and we do that so um
that's why I say I say no but at the end of the day not a lot of things are my decision because security is there to
support the business and enable the business and if the business is willing to take a risk after they understand the
implications then who am I to say no to that interesting so you're saying at the
end of the day I don't make the decision I let them know what the cont consequences might be what the risk is
and then they decide what actually happens yeah the typical example I give is like imagine you are smoking and you
go to the doctor right and the doctor says you know what that's not good for you you need to stop smoking and then
it's up to you right you know the consequences the doctor will not come to your house and take your cigarettes away
um if you want to listen to the doctor that's great you're going to benefit the doctor is going to happy is going to be happy because you live longer you go
like yeah you know what smoking is cool I don't care about the risk then that's on you like what do we want the doctor
to do more interesting have you ever been part of a company that had a serious breach
or a security incident of course no names or anything like that but have you had to deal with that uh kind of so I
joined the company like one week after they had the big
incident so although I wasn't present for the incident itself I had to deal with the aftermath and and the aftermath
included both the technical side of how do we make sure that this never happens again and where did we fail when this
happen but also communication because it happened in a company where our target
audience and the people who were affected are extremely technical geeky people so they had a lot of questions
it's it's not like they understand the internet they understand what the bridge is they understand they wanted to know
how that happened so there was a lot of stakeholder management both internally but also externally plus the technical
work that we needed to do to never have it happen again how do you deal with that kind of
situation so generally my Approach is being as honest as possible assuming
that the lawyers approve right because uh from a technical perspective it's quite easy to explain what happened so
we forgot to do X that means that an attacker found X and they exploited it
and they stole 10 records or whatever it's it's very easy to say say that now the question is what are the legal
implications of you saying that and that needs to be cleared by legal and and PR people and that type of thing but after
they gave me some kind of guidelines of what I can say can not say then I try to be as honest as possible and explain to
the users look we're all on the internet uh we most of us grew up on the Internet we know that bad things happen we
apologize we're going to be better by doing XYZ sorry for the inconvenience and in the first two months people were
really pissed and we saw our uh subscription base going down but then after two months they kind of realized
that we we were being honest about it and uh we hit the previous level and continued growing so although it was
very uncomfortable it didn't like really affect the company in terms of the company having to shut down because of
that one incident cool do you think it's common
for companies to think they're more secure than they actually are I think it's difficult to measure it
in a reliable way so generally you have a feeling right so the feeling can be I
have X number of monitoring tools that show everything green I look around and
I see people following the processes now are the processes secure hopefully some external auditor will weigh in on that I
feel it's very very difficult to measure like you can identify gaps and say oh we don't have a process for x or for why
but if you have the process I don't know how you say that makes me 80% secure 90%
secure interesting so you're saying it's more of a 90 or 10 I'm saying it's more of a feeling
like there is some objectivity in theory so if if you go for some kind of certification like ISO 2701 or so two or
these type of things or PCI hopefully they they do enough checking to say that you have if whatever is needed in order
but I don't think that if you look at two companies that went through PCI a they will be doing exactly the same
thing so there is some subjectivity from the auditor side there so that means like on paper these companies are
equally good but realistically one company may be doing 10 more things and therefore hopefully they're better but
this is not depicted anywhere and very difficult to see got it is there any significant
difference between working in a fintech company like you do now and working in a company that's
more maybe like regular Tech where the where data Beach isn't as big of a
deal I think one uh one key difference or key difference one big difference is
for sure the fact that finex are way more regulated is my feeling compared to
previous companies that means that if you look past the typical infos
standards like ISO PCI so whatever then you will find that your business is regulated by some sort of a e original
or like Grand regulator like an EU entity which means you have to care
about way more things than a company that maybe isn't so much regulated uh if you go past that I don't
think it's a huge difference so at the end of the day each company uses data to to do whatever they do and
in our case it's financial information and if you work for a health startup or a health company it's medical records
and if you work for someone else it's probably customer information but
like data is data and we need to protect this data I don't think like the form of the data makes a huge difference what it
makes a difference is how many external authorities are interested in how you're doing
that interesting do you feel like the stress of being well actually I'll phrase that
differently as a ceso it sounds like you're always very on like you're very
ready for anything to happen do you see a lot of people dealing with stress
stress in healthy ways in the field or is it something that Les talked about do
you even experience it I think I think there is a level of stress I the way I
try to approach it is with my favorite expression which is it is what it is so
whatever happens either I have control over it and I can do something about it which means there's no reason to stress
or I don't have control over it which means stressing doesn't help so
give you an example uh if I use GitHub to store my source code and GitHub dies
for three hours it's not great but what can I do like I'm sure the GitHub Engineers are working on it to get it
back uh on the other hand if I realize that I have really crappy permissions on
GitHub I can fix it so again no stress uh so I think again it's about um
expectation management so like what is expected of a season what do you think your role is uh obviously nobody wants
to sit in a company where your main partner is down and every nothing is
working but then if you have identified that this is a risk if the management told you we're not going to buy a second
GitHub like we're not going to get gitlab as well as a backup then you've done your job you identify the risk the
company accepted it you will assist GitHub if they ask you but why would
they ask you and that's it and then you wait for GitHub to come up
that's a very calm nice approach to it so that's interesting to hear do you H I
got a had a question as you were talking um I don't know maybe I'll come
back later what do you think right now is one of the biggest challenges in cyber
security um so I I don't think I can speak for the whole field but uh one of
the thing that kind of stresses me um is the fact that everything nowadays is
cloudbased or SAS based or whatever you want to call it so back in the day way back in the day
when people needed something we'll have to deploy a server in our data center and we knew exactly what was happening
today I'm not sure I can tell you with 100% certainty what we are doing as a
company and what I mean by that is we we offer let's say our employees do Services where they can store files and
they can exchange files but I'm quite certain a nonzero chance that some
people somewhere are using a service that they know nothing about and they have put some company documents on that service and then these people will leave
the company and these documents will never be deleted on that service uh so that's a bit scary and we we try to
manage it it's easier it's easier to be managed if the service requires some
form of payment because we can control that on the finance level but if it's a totally free service like let's say
Dropbox if someone just download the drbox and they're using it to store documents I will never know about it
that's a source of a bridge I won't even know how to respond if we are breached
by using an unauthorized service so that's the the thing that stresses me the
most interesting what do you think is something that people tend to not really
understand when they're not from the security field and they make these
decisions maybe to do things that risk the company'sposition I think um I think it's twofold right one
is I'm starting from the position that people are not uh inherently malicious
so when someone does something that is not really as secure as it should be my
initial understanding and assumption is that they made it either by accident or because they didn't think that they're doing something bad so that's on on me
and and my team and the rest of the company to actually educate people and and let them know that we have some
approved tools and processes and whatever for a reason and they shouldn't sacrifice security for their
convenience uh the other thing is um especially with younger people they grew
up on the internet and they internet was a thing basically for them since forever
and although they know how to use it they don't necessarily understand how it works so it's not always evident to them
what it means to use a service to upload your data somewhere to log in somewhere
to reuse the same password for convenience to download random applications to your phone or to your
computer and whatnot again they I I recognize that it didn't have to be
there when these things were being built and we have to understand what we're building but again it's an awareness and
I don't like the word training but awareness keep telling people like yeah there is a way to do this let me help
you or ask me if you don't fully understand what's going on how do you create a culture that is
security aware in a company that like the employees know to come and ask you if anything looks weird yeah so tying
back to what you asked me about being the bad cup and saying no so I I I don't really say no I I say yes but let's XYZ
which means you want to do that cool okay yes but let's see can we do it in a
secure way do we have a way already today it works or or whatever um the second thing is I try very very hard to
avoid personal blame so someone clicks on a fcing link I will definitely not
make that public I might speak to that person and try to identify why that was the case but I try to focus more on the
problem and less on the who created the problem because that makes the person even more defensive in the long run and
the third one I think it stems from the top right so um I had experiences in the past
where we deployed a policy that said we shouldn't do X and then I had the CEO doing X and that's not great because if
people see the CEO doing X and I think that the policy doesn't apply to anybody and then I had to educate the management
team that look either we have this policy and you goly or we don't have this policy and then this is the risk
and are you happy with that uh so I think comes from the top like it's
important for the CEO to either talk about these things or bring in the security talk to the whole company company so show to the company that
security is important and that people can just brush it under the rag if they don't feel that it's convenient for
them interesting do you remember any um security mistake that you've done that
created some issue and then you had to deal with the consequences oh yeah yeah
let me know all right so that's quite early in my career and I was working as a security consultant so we were
employed by a mobile operator company think like uh orange O2 these type of
people to do an assessment of their infrastructure uh they provided us with
an IP range that we were supposed to test and they made a mistake in the range and we made a mistake by not
confirming with them the range so effectively we we were supposed to attack like let's say 250 computers and
we ended up attacking 60,000 computers and some of the devices on that Network were not really built to be
attacked so effectively we killed mobile Communications for that provider for
seven minutes for a whole country nice yeah I don't know if it's
nice it happened so what do you do after an event like that like what what's going in your mind
what do You' actually do so first of all we apologized second of all we tried to
see if we follow follow our Moto which is script am man like the the written
stuff remains so we did check all the communication and we did identify that that's what they told us of course we
should have confirmed but at the end of the day we also said like look you told us to do this we did this we screwed up
we apologize but yeah it is what it is uh so yeah we finished the assessment
they weren't extremely happy about it but on the other hand they understood that if anything happened to that
particular piece of network mobile operations will die in the country so that was a good test for them to go and
fix it uh they didn't really ask for it but they get as abonus that's nice um interesting how do you view balancing
between business on the one hand like communicating to management the
needs and actually keeping a company secure but not creating a situation where like
people can't do things all right so generally my input
is three three things right so one source of input is regulations so if we
are obliged to fulfill a standard like PCI because we we handle credit cards or because we operate in a particular
region and the regulator says you need to do X I consider these things non-negotiable and I explain to the man
that like okay if we fail on this we're not getting the license from the regulator or we are failing the PCI
accreditation so do you agree that these are non-negotiable yes great this we're doing no matter what the second source
of information is the internal risk management so after we have done all the basic stuff that PCI and anybody else
requires is all right we know our system better than anyone where do we think we might have problems and then we document
this we assess the risk and sometimes we on it and sometime we accept it and sometime we review it after a few months
to decide what we're going to do uh so that's the area where there's a bit of
negotiation with the business which is uh sure I see it as a risk but maybe you guys in sales don't see it as a risk but
like can we agree if not we're going to push it up to the co or the CEO to make
a decision and then the third source is what you would call like housekeeping or
best practices and and those are try to do as much as possible when they start
introducing a lot of hustle or a lot of cost maybe I will move them into the risk management bucket but if it's more
simple things that they wouldn't change life significantly within the company I just try to do them with some agreement
from the internal stakeholders like H guys I'm going to reorganize the access groups and you lose access for 30
minutes but after that it's going to be easier to handle access or you know things like that so yeah so So based on
these three buckets uh some some of them are kind of forced some is a negotiation
and some are not exactly optional but also you know you have to be a bit cool
about it don't go crazy got it got it and do you think there's like
um widespread agreement overall about what you said within cesos so do you think
each person has like their own way of Vie it I think it's
um I I don't think there's an agreement like uh I occasionally check LinkedIn
and I see CES a job Adge and they can range from anything to you need to have
two years of experience do you need to have 25 years of experience and uh you need to be an individual contributor
with hands on to you will manage a team of 100 people and you not touch a single
server so I think generally what the companies are looking for is someone to
assume certain responsibilities about infos or it security but I don't think
there's an agreement like if you say CFO everybody pretty much understand the same thing right but if you say ceso it
can be one individual contributor who also configures the faral themselves or
it can be someone who has 20 teams and each team has five people and each one
is really focused one team on the firewalls one team on identity management one team on incident
management and what not so I think there's a huge discrepancy of what the role means and you need to ask for more
questions basically if you want to understand what's going on interesting is that something that
happened over the past few years or was it always sort of a role where it wasn't
really defined I think it expanded more the the last few years and the reason is that
because of certain regulations and then and that kind of influence more companies were forced to have someone to
deal with security if I look 20 years back maybe even a bit more most
companies maybe have someone called Chief security officer and their job will be mostly to deal with physical
security so Corporate Offices data centers that sort of thing and the IT
security or the technical security would mostly go into some kind of a platform engineering it
Department um I think they they started to carve that out now and most companies
nowadays at least the ones I see they dropped the need for physical security because everybody moved to AWS gcp Azure
or something similar uh Corporate Offices is still a thing for some companies many others have moved to
employee collocation or even work from home so they started bringing in seizur
to work more with the information on the technical aspects of security and less with the physical aspects of security
cool how do you feel about AI I mean I don't know I don't
care really like because I see that sometimes cesos are like this is amazing this is going to
help security so much this is wow and the others are more like this is going
to make fishing so much more complicated this is going to create new kinds of
attacks and so I I will okay let me rephrase the I do not care so what
happens at the moment is every vendor Under the Sun is reaching out to me and they say our product has Ai and that
part I really do not care um so I if I'm buying a product I want it to solve a
problem and I don't really care how you do it solving the problem so you can have ai you can have one billion people
working behind the scenes you can do whatever I'm not buying because you have technology X I'm buying you because I
want to achieve something uh so from that perspective I think so far it has been very hyped
marketing wise and I I don't really subscribe to oh buy this antivirus
because it has AI okay great like does it work uh is the OB this question in
I've doubled a bit with uh CH jbt and in terms of information security so it's a
good help right so instead of Googling for things I could ask sgbt and will give me some examples so good example I
can bring up here is let's say I want to write a new policy I have an idea of how to do it but I would like some kind of a
template to bounce off so I can either Google and download 10 templates and try to synthesize them myself or I can ask
chbt and will give me some answers and then I need to adopt them to my company
so to that extent it works I think problems here will arise if you don't really know what you're doing and alib
spech two pages and you go like sure I'll just do that and then you don't have the context of what you're doing
and then the other area I played with is um co-pilot Cloe like code completion
these type of things uh for simple things that I do because I'm not a developer they seem to
work quite nice and and they do help me and I I don't fully understand how it happens but I can ask the AI questions
about why it made the decision it will give me an answer that I can understand I don't know if we're at the point where
I could trust our developers to use that code directly into production but if it helps them become better better educated
I'm all for it like I'm not going to object to an awareness tool I just told
them like do not copy paste that code into production unless you fully understand what it's
doing interesting do you manage a team currently
uh indirectly yes so I have a bunch of people that we have dubbed the security
Champions generally my preference is to not have a security team but work with
people who are either security knowledgeable or security interested and
closer to the ground uh because what I have observed in the past when having a
security team is that people generally took the approach of oh this is going to
be handled by the security department I do not need to care that much and then they throw it over the fence and
typically that doesn't work so in the past few companies I work with the idea that look I have a security champion in
the platform team so if I want to do infrastructure improvements that's my person I have a security Champion within
Finance so if I want to do anything with the way we do security in the finance system that's my person and the same
with development and people operations and whatnot so they don't really report
to me in the sense that I will do their annual review or anything like that but we do work as a team to make sure that
we achieve the goals throughout the company interesting so you prefer that that you don't have anyone that
specifically security I I prefer that for two reasons one is the reason I explained which is
if you have 100 developers and you have three for security Engineers these four security Engineers canot review and fix
code from 100 developers on a daily basis right so it's a scaling problem problem the second thing is it's it's
way more probable that people in people operations understand the HR System than
a person that I will hire in the security team so if I want to ensure that the HR System has proper
permissions working with someone from people operations even if they can't express themselves in technical terms
they can still explain to me exactly how they would like the system to be handled and I can give me and other people
documentation and we can make it happen for them uh the opposite of that will be
I assign a security engineer he has never seen the HR System before in their life like they have no understanding of
how to build permissions even if they do they don't know the use cases so it ends up like an unsuccessful
project interesting that's uh an approach I haven't heard yet but I can see how it makes sense like that you're
kind of putting their responsibility between a lot of different people have a lot of different knowledge
types yeah like a good example for this is let's say vulnerability assessment so we me and my people would provide the
tool and we will provide explanations of what the tool responds with but at the
end of the day besides what the tool says the developer will be much better
to tell me you know what yes the tool is right but this will never happen because in front of that server there's this
server that will ever allow this to happen um and because they're working with that on a daily basis they will
have a bit better understanding compared to me that has a more of a bird eye
view cool what do you think changed about cyber security over like your decade
like I I think the fact that we don't own anything so again back in the day you needed a web server you put it in
your data center you needed a source code repository you install something in your server you needed a mail server you
deploy exchange or whatever it is now everything is in the cloud everything is
interconnected you have some knowledge or degree of certainty of where your data are flowing
but it's not very easy to understand what will be the impact of something so
if I'm using GitHub and GitHub loses one of their suppliers for three hours I'm impacted but like why I I never heard of
that company I don't understand why I'm impacted so it became way more complex because everything now works on apis and
interconnections and it's it's way more complex mesh to understand what the
impact might be if something happens anywhere in that mesh interesting is there anything that
you think cesos tend to overlook or maybe Miss I don't think
we Overlook anything I think what we definitely miss and I miss all the time
is um when things happen and I don't know about it so right now I'm working on on company
which is remote first which means that like the product owner and the head of engineering might now discussing
something totally revolutionary that will destroy everything and unless one of them PS me I will not hear about it
until they start writing code about it so I think it's an information issu SL
problem maybe it was marginally better when we were all in offices and you could have lunch with your colleagues
and and you know ask them hey what are you working on and uh but I do think that's the the part that I miss often
maybe not that often nowadays but I still miss like someone is deciding something they haven't asked security
for input and then we we go before some already made decision and then we need
to scramble to fix it interesting what do you think the field
the field is going to look like in a few years and what do you think the ca role will look like do you think it's going
to stay the same sort of undefined pretty open to anything term
ciso or do you think it's going to get more specific I I I I don't really have like
great visibility into this I I can tell you from personal experience it will depend a lot on how
much the The Regulators decide to act on this so for example in my current company we
regulated both by usn regulators and European Regulators now the the European
Regulators they do have regulations about security but they don't really call out any specifics related to what
the sees should be doing like uh Dora for example that's coming in they do have a lot of activities but certainly
they talk about like a competent person and and in these type of terms pretty
much what gdpr did with the role of the DPO just very high level very vague on
the other hand the US Regulators they do specify what they want the ceso to do they also want to
approve the ceso through some kind of an application process so for them it's a
bit more well structured in the sense that if you're a fintech and you're having a license in the US there is a framework that defines you
as a seizure or at least an expectation from the regulatory side of what you should be doing so I don't know if that
us mentality will prevail or the European one will prevail but uh I don't think the companies will come into an
agreement themselves and agree what their role is if it's not forc externally every company will tailor it
to what they believe is their need uh for that role and in terms of the
field like I don't know unless AI does something
magical and we get to a point where we can use it and being absolutely tailored
to our own business and not getting a generic answer I don't don't see a lot of change I see more need probably with
people with good technical understanding because we as I said we're getting more interconnected so maybe five years ago
you could just say I understand AWS and be good enough but now you need to know AWS and a bit of gcp and a bit of
something else and AWS is talking to GitHub and GitHub is talking to slack so
I I think the the bar for technical knowledge is probably going higher
Great Lost My Chain of Thought so what do you think is an important
piece of advice for someone who is looking to get into cyber security or is
looking or is you know just starting out but wanting to get to these higher levels of being SE so e
all right I would say as a first step kind of security has a lot of fields and
you need to figure out what you like and what you like you're going to be doing for a very long time so if you really
want to do technical stuff then maybe you can start as a pen tester and move from there if you like to do technical
stuff but also build things instead of destroying things maybe you can be like a Dev Dev secops engineer either
focusing on infrastructure or sorry on on development code developing code if
you like structure and standards and approach you can work as a security
manager like working with policies putting process in place whatever so
initially you won't be able to specialize in everything at the same time that's for sure so you probably need to pick something that you like and
you want to drill into it and then after you achieve some level of I don't know if I'm going to call it master or
familiarity with that domain you need to start expanding into the other domains and at least get some knowledge on
what's happening on that domain so if you're an excellent pen tester but you
can't write like two pages of text as as a document a policy guideline or even a
report then that's not going to be great if you are great at writing policies but
you have no understanding of how they technically apply to the organization probably you need to fix
that so find something you like build it good and then start expanding to the adjacent areas and you need to get to a
point where I think it's I squar that says it like this you need to be a mile
wide and an inch deep but you need to be more than an inch deep in certain areas because otherwise you're what's the
other expression um Jack of all trades master have known I
think nice so I have one final question before that thank you so much for your
time I feel like this has been very um what's the word like I learned a lot
that's great thank you yeah and also you call like you said cynical in the beginning and I can see like the The
View but I I feel like you have a very light approach to it like you do it
from a place of you understand the meaning and you understand why it's important but you don't take it let's
say too seriously which is I mean again it's what you can control right so if
you can control it sure put in the effort put in the time put in the not the the stress but the the the passion
behind it if you cannot control it yeah I don't know right okay so my final question is
you've been a seeo for more than a minute what do you like most about the job why do you stay so long so what I
like most about the job is that if done as it's in my mind you get exposure to
every single part of the company and I like learning I like um interacting with
people so being a s means that today I'm talking to developers and then uh my
next meeting will be with finance and then I have to meet some Auditors and then I'm talking to people operations and then I'm talking to my boss to give
him a summary of what's going on so I I do love that part because you you get to understand fully what the company is
doing and you can influence maybe not all the times it's very visible where you influence and
what's the result of that but at least you know that you tried your best either by implementing things or by
Consulting the company how to do things um and also I do like that it's
an never changing field so I still have the energy to keep learning to keep following up what's going on so I do
enjoy it I don't know that's going to be a thing in 10 years if I will still have the energy to follow with that amount of
passion but for now it's working and I find it enjoyable amazing thank you so much
you're welcome